01/17/2018

What Are SPF, DKIM and DMARC, and How Do These Standards Increase Email Security?

by Dena Bauckman

SPF, DKIM and DMARC are industry standards that address email sender authentication. Sender Policy Framework (SPF) originally became a standard in April 2006 and was then updated (RFC 7208) in April 2014. SPF enables organizations to publish in the Domain Name System (DNS) the IP addresses of the mail hosts that are authorized to send emails for their domains. SPF has been broadly adopted by most organizations and is used by most email threat protection and AV/AS solutions to verify the host sending an email is authorized to send for that domain.

Domain Key Identified Mail (DKIM) became a standard (RFC 6376) in September 2011 and has strong adoption but not at the levels of SPF. DKIM allows organization to digitally sign the emails they send and publish their public key in the DNS so receiving mail systems can verify the sender and the integrity of the email contents. The problem with both SPF and DKIM are that the domain owner cannot control what the receiving mail system does if SPF or DKIM records do not exist or if they exist but the check fails.

Published in March 2015, Domain-based Message Authentication, Reporting and Conformance (DMARC) is the most recent of the three standards (RFC 7489) and gives organizations the ability to tell receiving mail servers how to handle SPF and DKIM checks for their domain. With DMARC, organizations define in their DNS whether they are using SPF and DKIM and what to do if either check fails for emails from their domains (reject, quarantine or do nothing). It also provides a mechanism for receiving mail systems to report failures back to the domain owner so they can take appropriate action. Most organizations start off with a DMARC policy that instructs the receiver to take no action on the email but report the SPF or DKIM failure so they can address any issues. Once they are sure they have SPF and DKIM working properly, they can tell receiving mail servers to quarantine or reject failures.

The implementation of these three standards can prevent attackers from being able to spoof a company’s domain, but the implementation and management can be difficult. In order to fully implement DMARC, an organization must identify all departments and third parties that are sending emails from their domains. They must then identify all IP addresses used by the sending hosts and ensure every host is DKIM-signing emails. The organization then publishes DNS records that list all the IPs in SPF records and publish their public keys in DKIM records. Finally, the organization must publish a DMARC record that states they are using SPF and DKIM and what to do if either fails. Going forward the organization must make sure the SPF and DKIM records are kept current and that someone in the organization is responsible for reviewing failure reports sent from receiving mail servers so they can quickly address any issues.

Zix Support for SPF, DKIM and DMARC

Zix uses SPF, DKIM and DMARC standards across our email security products. The following is a summary of where and how we use these standards to help protect our customers.

Email Encryption: When a customer implements Zix email encryption, we become one of their sending mail hosts that should have SPF and DKIM records associated to them. As part of our deployment process, we can provide customers with the IP addresses to add to their SPF records and the public key information that can be added to their DKIM records in DNS. For customers that have a Zix secure portal with a domain owned by Zix, we will publish the appropriate SPF and DKIM records. Zix also publishes DMARC records for secure portal domains owned by Zix. Customers that maintain ownership of their secure portal domains can publish DMARC records once SPF and DKIM have been enabled.

Threat Protection: Zix’s threat protection service uses SPF, DKIM and DMARC to authenticate the sender on inbound emails to our customers. We also use SPF, DKIM and DMARC to protect against business email compromise attacks by checking inbound emails that say they are from the customer’s own domain, reviewing the policies defined in the customer’s DMARC record, verifying the sending host IPs match the SPF record and verifying the DKIM signature using the published public key.

One thing that SPF, DKIM and DMARC do not protect against is impersonation, where the attacker slightly modifies the domain (i.e. zixcorp.com verses zixc0rp.com). ZixProtect identifies this type of attack and has other techniques to identify when an attacker is using a legitimate domain but trying to trick the user to think it is from another trusted sender.

Limits and Benefits of Standards

SPF, DKIM and DMARC can protect a company against email spoofing. However, these standards require resources to implement and manage. In addition, email spoofing is only one threat used by hackers to attack your email, so organizations still need to have a threat protection solution that can identify a variety of attack methods and protect against them.

To learn what other layers of protection are needed and how Zix solutions deliver superior security, please register for our weekly demo or contact our team to set up a discussion.